In a March 19, 2009 ruling, the U.S. District Court for the Northern District of Texas recently recognized that the Texas Whistleblower Act prohibits health care organizations run by the State of Texas from retaliating against employees for making good faith complaints of violations of the Privacy Rules of the Health Insurance Portability Act (“HIPAA”), Nevertheless, the court dismissed the wrongful discharge lawsuit brought by a former Terrell State Hospital security guard who alleged he was wrongfully fired for complaining to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) that the Hospital violated the HIPAA Privacy Rules because the plaintiff had failed to present sufficient proof that he was terminated in retaliation for filing a HIPAA complaint.

Illustrative of a growing number of state law retaliatory discharge claims brought be employees claiming to have been retaliated against for complaining about alleged violations of HIPAA’s Privacy Rules, Faulkner v. Department of State Health Servs.,2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009), involved claims made by plaintiff Anthony Faulkner that the Texas Department of State Health Services (DSHS); Terrell State Hospital; Texas DSHS Commissioner David L. Lakey, M.D., Terrell State Hospital Superintendent Fred Hale and Terrell State Hospital Risk Management Coordinator Clent Holmes, R.N. Plaintiff Anthony Faulkner ("Faulkner") violated the Whistleblower Act and the First and Fourteenth Amendments by firing him seven days after he complained to OCR that Terrell State Hospital violated the HIPAA Privacy Rule by leaving admissions logs containing patient names and admission dates in a public area.

The Texas Whistleblower Act generally prohibits a state or local governmental entity from terminating or taking any other adverse personnel action against, a public employee who in good faith reports a violation of law by the employing governmental entity or another public employee to an appropriate law enforcement authority. See Tex. Gov't Code § 554.002(a). While the Court affirmed that the Texas Whistleblower Act permits a public employee of the State of Texas discharged or otherwise retaliated against for complaining in good faith to OCR that his public employer or its employee violated the HIPAA Privacy Rules, the Court nevertheless granted summary judgment to the defendants.

According to the court, Faulkner’s failure to introduce evidence rebutting defendant’s affidavit that he was terminated for repeatedly violating rules requiring him to report suspected abuse of patients precluded him from proving his termination was in retaliation for his filing of the HIPAA complaint. Meanwhile, the court also ruled that Faulkner’s claims against the individual defendants should be dismissed as the Whistleblower Act only creates a cause of action against governmental entities, and not their employees. Having found Faulkner’s constitutional claims also without merit, the District Court granted the defendant’s motion for summary judgment.

While the Faulkner defendant’s were able to overcome Faulkner’s retaliatory discharge claim, the decision highlights the need for health care providers and other HIPAA covered entities to take appropriate precautions to defend against potential wrongful discharge, retaliation or other claims by employees or other service providers who have complained of possible HIPAA violations or for attempting to exercise other HIPAA-protected rights. HIPAA covered entities now only should avoid in engaging in actions that might unnecessarily fuel claims of retaliation, they also should carefully document and preserve evidence necessary to demonstrate the legitimacy of their disciplinary actions on an ongoing basis.

Although the Faulkner court ruled that a whistleblower claimant was not required to prove that the conduct that formed the basis of its complaint actually violated the HIPAA, obviously effective compliance with HIPAA and other privacy and data security mandates plays a key role in the prevention of whistleblower claims as well as the overall management of HIPAA related liabilities of covered entities as a whole.Health care providers, health plans and their sponsoring employers and insurers, and other HIPAA covered entities and their service providers face growing liability under HIPAA generally.

On February 18, 2009, for instance, OCR and the Federal Trade Commission (“FTC”) jointly announced that CVS Pharmacy, Inc., the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement to resolve charges it violated HIPAA and other laws by disposing of pill bottles, prescriptions and other non-electronic records in dumpsters under the second Resolution Agreement announced by OCR.Under the Resolution Agreement, CVS also must take corrective action to ensure that it does not violate the HIPAA privacy rights of its millions of patients when disposing of non-electronic patient information such as identifying information on pill bottle labels.CVS also will conduct employee training on HIPAA compliance and impose sanctions for any noncompliance.In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act.The investigation resulting in the settlement marks the first instance where the OCR formally coordinated on investigation and resolution of a case with the FTC.

These and other developments make it imperative covered entities immediately review and update their HIPAA and other data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

We hope you found this information helpful.If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other employment or or other laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please contact Ms. Stamer via e-mail to [email protected] or by telephoning Ms. Stamer at 469.767.8872. To learn more about the Cynthia Marcotte Stamer, see CynthiaStamer.com.

Cynthia Stamer

Cynthia Marcotte Stamer, is nationally and internationally recognized for her work assisting businesses, governments, and other entities to develop creative strategies for dealing with employee benefit and related human resources, insurance, health care and finance concerns. Ms. Stamer helps businesses design, administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary and other business objectives.